Post

DeconstruCT.F 2023 - Missing

Posted
By Nolliv22 2 min read

Description

Category: OSINT

Jason todd went missing and all alfred was able to recover from his pc was this file Help Alfred find Jason

Hint

Rule 3 does not apply here. Bruteforce is allowed

jason.rar

Resolution

1. Crack the rar

We have an encrypted jason.rar archive.

We crack it with John the Ripper:

1
2
3
4
5
6
7
8
9
10
11
12
13

$ ./rar2john jason.rar > hash
$ john hash --wordlist=rockyou.txt
Warning: detected hash type "RAR5", but the string is also recognized as "RAR5-opencl"
Use the "--format=RAR5-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 56 password hashes with no different salts (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
1983             (jason.rar)       
56g 0:00:01:48 DONE (2023-08-05 22:37) 0.5138g/s 439.2p/s 439.2c/s 24597C/s 290392..01011985
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

2. Git commit history

Now we have the password we can decrypt the archive.

In the archive we have 2 directories:

  • cryptic-tod-secure
  • nothing_here_to_look_at

We went inside nothing_here_to_look_at and searched for info.

The only notable file is empty.txt which seemed to contains a link:

1
2
3
4

this link might be interesting
...
find my github pages site that i accidentaly deleted to find what u want :P
...

Since there is a .git directory, we can see the history with git log:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

$ git log
commit 65e36b3f6fc7baa97fdb17ae17d4d0ab2ac9ff71 (HEAD -> main, origin/main, origin/HEAD)
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date:   Wed Jun 1 17:33:30 2022 +0530

    Create encoded.txt

commit c707cc578d25efe99348ed9e267156a8203224ae
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date:   Wed Jun 1 17:32:13 2022 +0530

    Create secret.txt

commit 38daa614da04a03b6c02149504bda43d56dcbd8a
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date:   Sat May 28 11:41:55 2022 +0530

    Update empty.txt

commit f50086b592f94cc8d05f9b1dde2eeb10d6c4713c
Author: cryptic-tod-secure <106369190+cryptic-tod-secure@users.noreply.github.com>
Date:   Fri May 27 11:52:07 2022 +0530

    something for u

We switch to an older version of the repo when empty.txt hasn’t been modified:

1
2

$ git restore .
$ git checkout f50086b592f94cc8d05f9b1dde2eeb10d6c4713c

Now we open empty.txt and there is a base64 encoded string:

1

aHR0cHM6Ly93d3cuaW5zdGFncmFtLmNvbS90b2RkX2phc29uX3NlY3VyZS8=

Which once decode gives us a link: https://www.instagram.com/todd_jason_secure/.

3. Instagram account

Since I don’t have an Instagram account, I used Picuki to see the profile:

There are two posts:

Posts

We get the first part of the flag in the second post: dsc{h4vINg_FuN_w1.

In the first post, there are 13 comments and one of them indicates us the next step:

Next step

4. Twitter account

For this step, you need a Twitter account.

On Twitter we search for todd_jason_secure:

Twitter

We find the tweet which gives us the second part of the flag:

Second part

The second part of the flag is base32 encoded, once decoded we have: 7h_O5INT_@Nd_m4p5}.

And finally we get the flag: dsc{h4vINg_FuN_w17h_O5INT_@Nd_m4p5}.

Writeups, DeconstruCT.F 2023
OSINT
This post is licensed under CC BY 4.0 by the author.